Combating the Insider Threat at the FBI: Real World Lessons Learned - - PowerPoint PPT Presentation
FEDERAL BUREAU OF INVESTIGATION Fidelity, Bravery, and Integrity Combating the Insider Threat at the FBI: Real World Lessons Learned Patrick Reidy Disclaimer and Introduction The views expressed in this presentation are those of the
FEDERAL BUREAU OF INVESTIGATION
“Fidelity, Bravery, and Integrity”
2
The views expressed in this presentation are those of the presenter and do not reflect the official policy or position of the Department of Justice, the Federal Bureau of Investigation, or the U.S. Government, nor does it represent an endorsement of any kind.
3
1 Insider threats are not hackers 2 Insider threat is not a technical or “cyber security” issue alone 3 A good insider threat program should focus on deterrence, not detection 4 Avoid the data overload problem 1 Use behavioral analytics
4
Threat focus: Computer intrusion Protection: N/W perimeter, firewalls, IDS, proxies, A/V, DHCP, DNS Detection technique: signature based Threat focus: APT Protection: + Internal N/W, host A/V, OS, application logs, email, net flow Detection technique: + N/W anomaly Threat focus: Insider Protection: + DLP, DRM, Personnel data, data object interaction, non-N/W data Detection technique: + data mining, behavioral
5
6
► NOT hackers ► People who joined
intent ► Most tools and techniques are designed with the hacker in mind
7
► We lose most battles 2 feet from the computer screen ► 24% of incidents, 35% of
► The “knuckle head” problem ► Policy violations, data loss, lost equipment, etc. ► Address with user training campaigns & positive social engineering ► 7% drop incidents since last year
8
9
► Insider threat is not the most numerous type of threat
► 1900+ reported incidents in the last 10 years ► ~ 19% of incidents involve malicious insider threat actors
► Insider threats are the most costly and damaging
► Average cost $412K per incident ► Average victim loss: ~$15M / year ► Multiple incidents exceed $1 Billion
Sources: Ponemon Data Breach Reports: ‘08, ‘09, ‘10, ’11; IDC 2008; FBI / CSI Reports: ‘06, ‘07, ’08’, ‘09, ‘10/’11; Verizon Business Data Breach Reports: ‘09, ‘10, ‘11, ’12, ’13; CSO Magazine / CERT Survey: ‘10, ’11; Carnegie Mellon CERT 2011 IP Loss Report; Cisco Risk Report ‘08
10
► Data from convictions under the Industrial Espionage Act (IEA) Title18 U.S.C., Section 1831 ► Average loss per case: $472M
11
► Misunderstanding example: The APT is not an insider threat because they steal credentials.
12
Environmental Human
Internal Malicious Espionage I/T Sabotage Fraud / abuse IP Theft Non- malicious External Malicious Non- malicious
CERT Threat Models
13
14
admins
threat/2010/09/insider_threat_dee p_dive_it_sabotage.html
15
► The Intrusion Kill Chain is excellent for attacks, but doesn’t exactly work for insider threats
Reference: Intelligence-Driven Computer Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chain. E.M. Hutchings, M.J. Cloppert, et. al.
16
Operational Security
cohesion
bad
knowledgeable the threat
DVDs / CDs, USBs, network transfer, emails
communications with external parties
find data for them
extensions
downloads over multiple sessions
17
► Many want you to believe insider threats are hackers in order to sell you things ► IDS, Firewalls, AV, etc. do not work
► No rules are being broken!
► Some great capabilities, but no “out of the box” solutions ► Data loss prevention, digital rights management, and IP theft protection products are maturing
Click Here to Catch Spy
18
► Programs do not just bolt into Security Operations Centers ► Dedicated staff with clear
19
Personnel
20
Serial #: 1234567
A A A A A A A A
Badge# 2345 IP Addrs: 1.1.1.1 Works for Business Development 703-555-1212 Work schedule Patterns of activity Jdoe@ic.fbi.gov
21
Psychosocial Contextual Cyber
22
23
► Identify sensitive data ► Rate top 5 most important systems in terms of sensitive data
24
However… ► This is about survival in a hostile market place ► If your data is secure you can penetrate risky markets ► Your enemy is your business partner, are you designed that way?
It’s complex It’s expensive It may take years to achieve tangible results
25
Risk Averse Risk Takers
26
► Nope!
► British scientist who wanted to show empirically that educated people are superior ► Asked “commoners” to guess the weight of an ox at a fair ► Results:
► No single villager correct, but average < 2
► No single SME correct, average SME > 6 lbs off
Francis Galton (1822-1911)
27
► 13,900 people come to work armed everyday ► Our people are trusted to enforce the law and keep the country safe
28
Users will make good decisions given timely guidance Risk reduction with no impact to workflow, etc.
29
Source: Internal FBI Computer Security Logs
30
0.5 1 6 10 50 160 2048 500 1000 1500 2000 2500 D+1 yr D+2 yr D+3 yr D+4 yr D+5 yr D+6 yr D+7 yr
Data Growth (TB)
Data Growth
Individual Audits Critical App Logs Host Monitoring N/W Monitoring
FEDERAL BUREAU OF INVESTIGATION
“Fidelity, Bravery, and Integrity”
32
33
34
► Most people don’t evolve into true threats ► ~5% of the 65 espionage cases came in “bad” ► There are observable “red flags” we call indicators
35
► A rodent out-predicted our first generation systems
36
37
38
39
40
► Standard distributions (bell curves) are very rare ► >80% of data movement done by <2% of population ► Hint: Know your data or make huge analytic mistakes
Source: Internal FBI Computer Security Logs
Per User Enterprise Data Egress Over 51st Week of 2012
D a t a A m
n t Users
41
day window more than once versus 12% of the control
42
1 Insider threats are not hackers.
Frame and define the threat correctly and focus on the insider threat kill chain
2 Insider threat is not a technical or “cyber security” issue alone
Adopt a multidisciplinary “whole threat” approach
Create an environment that discourages insiders by crowd sourcing security and interacting with users
Gather HR data and data egress/ingress logs
5 Detection of insider threats has to use behavioral based techniques
Base detection on user’s personal cyber baselines
43